Minor release, security bugfixes. All low severity. https://www.openssl.org/news/cl32.txt
Plugs CVEs: CVE-2024-0727: Fixed PKCS12 Decoding crashes CVE-2023-6237: Fixed excessive time spent checking invalid RSA public keys CVE-2023-6129: Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC CPUs which support PowerISA 2.07. * Remove one patch. Code was added to the release. Signed-off-by: Christian Melki <christian.me...@t2data.com> --- ...frag_len-checking-if-no-Max-Fragment.patch | 41 ------------------- .../0001-debian-targets.patch | 0 .../0002-pic.patch | 0 ...to-enable-ktls-if-target-does-not-st.patch | 4 +- ...rialize-allocation-free-of-ssl_names.patch | 0 ...zero-call-used-regs-used-gpr-from-De.patch | 0 .../{openssl-3.2.0 => openssl-3.2.1}/series | 3 +- rules/openssl.make | 4 +- 8 files changed, 5 insertions(+), 47 deletions(-) delete mode 100644 patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch rename patches/{openssl-3.2.0 => openssl-3.2.1}/0001-debian-targets.patch (100%) rename patches/{openssl-3.2.0 => openssl-3.2.1}/0002-pic.patch (100%) rename patches/{openssl-3.2.0 => openssl-3.2.1}/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch (96%) rename patches/{openssl-3.2.0 => openssl-3.2.1}/0004-conf-Serialize-allocation-free-of-ssl_names.patch (100%) rename patches/{openssl-3.2.0 => openssl-3.2.1}/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch (100%) rename patches/{openssl-3.2.0 => openssl-3.2.1}/series (73%) diff --git a/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch b/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch deleted file mode 100644 index 814bd07be..000000000 --- a/patches/openssl-3.2.0/0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Matt Caswell <m...@openssl.org> -Date: Tue, 2 Jan 2024 16:48:43 +0000 -Subject: [PATCH] Don't apply max_frag_len checking if no Max Fragment Length - extension - -Don't check the Max Fragment Length if the it hasn't been negotiated. We -were checking it anyway, and using the default value -(SSL3_RT_MAX_PLAIN_LENGTH). This works in most cases but KTLS can cause the -record length to actually exceed this in some cases. - -Fixes #23169 ---- - ssl/record/methods/tls_common.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c -index 423777c18dd4..1a9320ae74de 100644 ---- a/ssl/record/methods/tls_common.c -+++ b/ssl/record/methods/tls_common.c -@@ -910,11 +910,17 @@ int tls_get_more_records(OSSL_RECORD_LAYER *rl) - } - - /* -- * Check if the received packet overflows the current -- * Max Fragment Length setting. -- * Note: rl->max_frag_len > 0 and KTLS are mutually exclusive. -+ * Record overflow checking (e.g. checking if -+ * thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) is the responsibility of -+ * the post_process_record() function above. However we check here if -+ * the received packet overflows the current Max Fragment Length setting -+ * if there is one. -+ * Note: rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH and KTLS are -+ * mutually exclusive. Also note that with KTLS thisrr->length can -+ * be > SSL3_RT_MAX_PLAIN_LENGTH (and rl->max_frag_len must be ignored) - */ -- if (thisrr->length > rl->max_frag_len) { -+ if (rl->max_frag_len != SSL3_RT_MAX_PLAIN_LENGTH -+ && thisrr->length > rl->max_frag_len) { - RLAYERfatal(rl, SSL_AD_RECORD_OVERFLOW, SSL_R_DATA_LENGTH_TOO_LONG); - goto end; - } diff --git a/patches/openssl-3.2.0/0001-debian-targets.patch b/patches/openssl-3.2.1/0001-debian-targets.patch similarity index 100% rename from patches/openssl-3.2.0/0001-debian-targets.patch rename to patches/openssl-3.2.1/0001-debian-targets.patch diff --git a/patches/openssl-3.2.0/0002-pic.patch b/patches/openssl-3.2.1/0002-pic.patch similarity index 100% rename from patches/openssl-3.2.0/0002-pic.patch rename to patches/openssl-3.2.1/0002-pic.patch diff --git a/patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch b/patches/openssl-3.2.1/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch similarity index 96% rename from patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch rename to patches/openssl-3.2.1/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch index 6275de708..6b518ef22 100644 --- a/patches/openssl-3.2.0/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch +++ b/patches/openssl-3.2.1/0003-Configure-allow-to-enable-ktls-if-target-does-not-st.patch @@ -28,7 +28,7 @@ Signed-off-by: Michael Olbrich <m.olbr...@pengutronix.de> 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf -index d1a15a115274..d15d28499a21 100644 +index 2a047caa7d4a..aa2685be93b9 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -693,7 +693,7 @@ my %targets = ( @@ -41,7 +41,7 @@ index d1a15a115274..d15d28499a21 100644 "linux-latomic" => { inherit_from => [ "linux-generic32" ], diff --git a/Configure b/Configure -index cbba1749b5a3..a69068121949 100755 +index cca1ac8d162e..c9bbcbbed3e6 100755 --- a/Configure +++ b/Configure @@ -1765,7 +1765,7 @@ unless ($disabled{devcryptoeng}) { diff --git a/patches/openssl-3.2.0/0004-conf-Serialize-allocation-free-of-ssl_names.patch b/patches/openssl-3.2.1/0004-conf-Serialize-allocation-free-of-ssl_names.patch similarity index 100% rename from patches/openssl-3.2.0/0004-conf-Serialize-allocation-free-of-ssl_names.patch rename to patches/openssl-3.2.1/0004-conf-Serialize-allocation-free-of-ssl_names.patch diff --git a/patches/openssl-3.2.0/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch b/patches/openssl-3.2.1/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch similarity index 100% rename from patches/openssl-3.2.0/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch rename to patches/openssl-3.2.1/0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch diff --git a/patches/openssl-3.2.0/series b/patches/openssl-3.2.1/series similarity index 73% rename from patches/openssl-3.2.0/series rename to patches/openssl-3.2.1/series index 309ec1465..cd66cc21a 100644 --- a/patches/openssl-3.2.0/series +++ b/patches/openssl-3.2.1/series @@ -7,5 +7,4 @@ 0004-conf-Serialize-allocation-free-of-ssl_names.patch 0005-Configure-drop-fzero-call-used-regs-used-gpr-from-De.patch #tag:upstream --start-number 100 -0100-Don-t-apply-max_frag_len-checking-if-no-Max-Fragment.patch -# d6f307e5d2ef578b08c895257daa6fbc - git-ptx-patches magic +# ab24a399a1a602376760e385c08ab320 - git-ptx-patches magic diff --git a/rules/openssl.make b/rules/openssl.make index bc1322725..7080bd50b 100644 --- a/rules/openssl.make +++ b/rules/openssl.make @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl # # Paths and names # -OPENSSL_VERSION := 3.2.0 -OPENSSL_MD5 := 7903549a14abebc5c323ce4e85f2cbb2 +OPENSSL_VERSION := 3.2.1 +OPENSSL_MD5 := c239213887804ba00654884918b37441 OPENSSL := openssl-$(OPENSSL_VERSION) OPENSSL_SUFFIX := tar.gz OPENSSL_URL := \ -- 2.34.1